Erays: Reverse Engineering Ethereum s Opaque Smart Contracts

Size: px

Start display at page:

Download "Erays: Reverse Engineering Ethereum s Opaque Smart Contracts"

Robert Bates
5 years ago
Views:

1 Erays: Reverse Engineering Ethereum s Opaque Smart Contracts Yi Zhou, Deepak Kumar, Surya Bakshi, Joshua Mason, Andrew Miller, Michael Bailey University of Illinois Urbana-Champaign 1

2 Introduction: Ethereum 2

3 Introduction: Ethereum Smart Contracts Computer programs on the blockchain Written in high level language (Solidity) Executed in the Ethereum Virtual Machine (EVM) 3

4 Solidity Code contract dummy { uint s; function foo(uint a) public returns (uint) { while (a < s) { if (a > 10) { a += 1; } else { a += 2; } } return a; } } 4

5 Compiled Contract e5763ffffffff7c fbebd b600080fd5b e fd5b a565b f35b60005b a f565b b606d565b a a7a fc9f61669f3d0fe36966d60c64042dec36a23ac 89e6b4ebe1752f2c7ca

6 EVM Bytecode PUSH1 0x80 PUSH1 0x40 MSTORE PUSH1 0x04 CALLDATASIZE LT PUSH1 0x3e JUMPI PUSH4 0xffffffff PUSH29 0x PUSH1 0x00 CALLDATALOAD 6

7 Problem: Opaque/proprietary contracts EVM bytecode is not easily understandable High level source code is not always available Contract functionality remains opaque/proprietary 7

8 Ecosystem: Total Count: 1,024,886 Unique Count: 34,328 How many contracts are there? 8

9 Ecosystem: How many contracts are opaque/proprietary? 10,387 Solidity Source Files Collected (from Etherscan) 35 Versions (v0.1.3 to v0.4.19) of Solidity Compilers Used 88,426 Unique Binaries Compiled 9

10 Ecosystem: Measuring Opacity Contracts Total 1,024,886 Unique 34,328 (100.0%) Unique Transparent 7,734 (22.5%) Unique Opaque 26,594 (77.5%) 10

11 Ecosystem: Measuring Opacity Contracts Total 1,024,886 Unique 34,328 (100.0%) Unique Transparent 7,734 (22.5%) Unique Opaque 26,594 (77.5%) 11

12 Erays 12

13 Erays: System Design Control Flow Graph Recovery Lifting Optimization Aggregation Control Flow Structure Recovery 13

14 Control Flow Graph Recovery Identify basic block boundaries JUMPDEST PUSH1 0x0 JUMPDEST PUSH1 0x0 SLOAD DUP3 LT ISZERO PUSH1 0x93 JUMPI 1 14

15 Control Flow Graph Recovery Identify basic block boundaries JUMPDEST PUSH1 0x0 JUMPDEST PUSH1 0x0 SLOAD DUP3 LT ISZERO PUSH1 0x93 JUMPI 1 15

16 Control Flow Graph Recovery Identify basic block boundaries Organize basic blocks into a CFG Emulate the contract using a stack model Explore the contract in a manner similar to Depth First Search Record stack images at each block entrance 1 16

17 JUMPDEST PUSH1 0x88 JUMPI PUSH1 0x93 JUMPI PUSH1 0x8f JUMP PUSH1 0x6d JUMP return Control Flow Graph Recovery 17

18 JUMPDEST PUSH1 0x88 JUMPI PUSH1 0x93 JUMPI PUSH1 0x8f JUMP PUSH1 0x6d JUMP return Control Flow Graph Recovery 18

19 JUMPDEST PUSH1 0x88 JUMPI PUSH1 0x93 JUMPI PUSH1 0x8f JUMP PUSH1 0x6d JUMP return Control Flow Graph Recovery 19

20 JUMPDEST PUSH1 0x88 JUMPI PUSH1 0x93 JUMPI PUSH1 0x8f JUMP PUSH1 0x6d JUMP return Control Flow Graph Recovery 20

21 JUMPDEST PUSH1 0x88 JUMPI PUSH1 0x93 JUMPI PUSH1 0x8f JUMP PUSH1 0x6d JUMP return Control Flow Graph Recovery 21

22 JUMPDEST PUSH1 0x88 JUMPI PUSH1 0x93 JUMPI PUSH1 0x8f JUMP PUSH1 0x6d JUMP return Control Flow Graph Recovery 22

23 JUMPDEST PUSH1 0x88 JUMPI PUSH1 0x93 JUMPI PUSH1 0x8f JUMP PUSH1 0x6d JUMP return Control Flow Graph Recovery 23

24 JUMPDEST PUSH1 0x88 JUMPI PUSH1 0x93 JUMPI PUSH1 0x8f JUMP PUSH1 0x6d JUMP return Control Flow Graph Recovery 24

25 JUMPDEST PUSH1 0x88 JUMPI PUSH1 0x93 JUMPI PUSH1 0x8f JUMP PUSH1 0x6d JUMP return Control Flow Graph Recovery 25

26 Lifting: Stack-based to Register-based Convert stack-based operations into register-based representation (R. Vallee-Rai 1999) $s2 Map stack slots to registers $s1 $s

27 Lifting: Stack-based to Register-based Convert stack-based operations into register-based representation (R. Vallee-Rai 1999) ADD $s2 0x2 Map stack slots to registers Assign registers to each bytecode (using stack height) $s1 0x3 $s0 0xb

28 Lifting: Stack-based to Register-based Convert stack-based operations into register-based representation (R. Vallee-Rai 1999) ADD $s2 0x2 Map stack slots to registers Assign registers to each bytecode (using stack height) $s1 0x3 $s0 0xb

29 Lifting: Stack-based to Register-based Convert stack-based operations into register-based representation (R. Vallee-Rai 1999) ADD $s2 0x2 + 0x3 Map stack slots to registers Assign registers to each bytecode (using stack height) $s1 $s0 0xb

30 Lifting: Stack-based to Register-based Convert stack-based operations into register-based representation (R. Vallee-Rai 1999) ADD $s2 0x5 Map stack slots to registers Assign registers to each bytecode (using stack height) $s1 $s0 0xb

31 Lifting: Stack-based to Register-based Convert stack-based operations into register-based representation (R. Vallee-Rai 1999) $s2 ADD Map stack slots to registers Assign registers to each bytecode (using stack height) $s1 0x5 $s0 0xb

32 Lifting: Stack-based to Register-based Convert stack-based operations into register-based representation (R. Vallee-Rai 1999) $s2 ADD $s1, $s2, $s1 Map stack slots to registers Assign registers to each bytecode (using stack height) $s1 0x5 $s0 0xb

33 Lifting: Stack-based to Register-based Convert stack-based operations into register-based representation (R. Vallee-Rai 1999) Map stack slots to registers Assign registers to each bytecode (using stack height) PUSH1 SLOAD DUP3 LT ISZERO PUSH1 JUMPI 0x0 0x

34 Lifting: Stack-based to Register-based Convert stack-based operations into register-based representation (R. Vallee-Rai 1999) Map stack slots to registers Assign registers to each bytecode (using stack height) MOVE $s4, 0x0 SLOAD $s4, [$s4] MOVE $s5, $s2 LT $s4, $s5, $s4 ISZERO $s4, $s4 MOVE $s5, 0x93 JUMPI $s5, $s

35 Lifting: Stack-based to Register-based Convert stack-based operations into register-based representation (R. Vallee-Rai 1999) Introduce new instructions

36 Lifting: Stack-based to Register-based Convert stack-based operations into register-based representation (R. Vallee-Rai 1999) Introduce new instructions INTCALL, INTRET MOVE ASSERT NEQ, GEQ, LEQ, SL, SR

37 Optimization: Removing Redundancy Global optimizations (1973 G. Kildall) MOVE $s4, 0x0 SLOAD $s4, [$s4] MOVE $s5, $s2 LT $s4, $s5, $s4 ISZERO $s4, $s4 MOVE $s5, 0x93 JUMPI $s5, $s

38 Optimization: Removing Redundancy Global optimizations (1973 G. Kildall) Constant propagation MOVE $s4, 0x0 SLOAD $s4, [0x0] MOVE $s5, $s2 LT $s4, $s5, $s4 ISZERO $s4, $s4 MOVE $s5, 0x93 JUMPI 0x93, $s

39 Optimization: Removing Redundancy Global optimizations (1973 G. Kildall) Constant propagation Copy propagation MOVE $s4, 0x0 SLOAD $s4, [0x0] MOVE $s5, $s2 LT $s4, $s2, $s4 ISZERO $s4, $s4 MOVE $s5, 0x93 JUMPI 0x93, $s

40 Optimization: Removing Redundancy Global optimizations (1973 G. Kildall) Constant propagation Copy propagation Dead code elimination -- SLOAD $s4, [0x0] -- LT $s4, $s2, $s4 ISZERO $s4, $s4 -- JUMPI 0x93, $s

41 Optimization: Removing Redundancy Global optimizations (1973 G. Kildall) Constant propagation Copy propagation Dead code elimination -- SLOAD $s4, [0x0] -- LT $s4, $s2, $s4 ISZERO $s4, $s4 -- JUMPI 0x93, $s4 Local optimizations

42 Optimization: Removing Redundancy Global optimizations (1973 G. Kildall) Constant propagation Copy propagation Dead code elimination -- SLOAD $s4, [0x0] GEQ $s4, $s2, $s4 -- JUMPI 0x93, $s4 Local optimizations

43 Optimization: Removing Redundancy Global optimizations (1973 G. Kildall) Constant propagation SLOAD $s4, [0x0] GEQ $s4, $s2, $s4 JUMPI 0x93, $s4 Copy propagation Dead code elimination Local optimizations

44 Aggregation: Condensing the Output Convert register-based instructions into three address form SLOAD $s4, [0x0] GEQ $s4, $s2, $s4 JUMPI 0x93, $s

45 Aggregation: Condensing the Output Convert register-based instructions into three address form $s4 = S[0x0] $s4 = $s2 $s4 if ($s4) goto 0x

46 Aggregation: Condensing the Output Convert register-based instructions into three address form Aggregate instructions into nested expressions (R. Vallee-Rai 1999) $s4 = S[0x0] $s4 = $s2 $s4 if ($s4) goto 0x

47 Aggregation: Condensing the Output Convert register-based instructions into three address form Aggregate instructions into nested expressions (R. Vallee-Rai 1999) -- $s4 = $s2 S[0x0] if ($s4) goto 0x

48 Aggregation: Condensing the Output Convert register-based instructions into three address form Aggregate instructions into nested expressions (R. Vallee-Rai 1999) if ($s2 S[0x0]) goto 0x

49 Aggregation: Condensing the Output Convert register-based instructions into three address form if ($s2 S[0x0]) goto 0x93 Aggregate instructions into nested expressions (R. Vallee-Rai 1999)

50 Control Flow Structure Recovery Separate each public function subgraph Use structural analysis (M. Sharir 1980) Match subgraphs to control constructs (while, if then else) Collapse matched subgraphs

51 ASSERT(0 == msg.value) $s2 = C[0x4] if ($s2 >= S[0x0]) goto 0x93 if ($s2 <= 0xa) goto 0x88 $s2 = 0x1 + $s2 goto 0x8f $s2 = 0x2 + $s2 goto 0x6d M[$m] = $s2 RETURN($m, 0x20) Control Flow Structure Recovery 51

52 ASSERT(0 == msg.value) $s2 = C[0x4] if ($s2 >= S[0x0]) goto 0x93 if ($s2 <= 0xa) { $s2 = 0x2 + $s2 } else { $s2 = 0x1 + $s2 } goto 0x6d M[$m] = $s2 RETURN($m, 0x20) Control Flow Structure Recovery 52

53 ASSERT(0 == msg.value) $s2 = C[0x4] if ($s2 >= S[0x0]) goto 0x93 if ($s2 <= 0xa) { $s2 = 0x2 + $s2 } else { $s2 = 0x1 + $s2 } goto 0x6d M[$m] = $s2 RETURN($m, 0x20) Control Flow Structure Recovery 53

54 ASSERT(0 == msg.value) $s2 = C[0x4] while (0x1) { if ($s2 >= S[0x0]) break if ($s2 <= 0xa) { $s2 = 0x2 + $s2 } else { $s2 = 0x1 + $s2 } } M[$m] = $s2 RETURN($m, 0x20) Control Flow Structure Recovery 54

55 ASSERT(0 == msg.value) $s2 = C[0x4] while (0x1) { if ($s2 >= S[0x0]) break if ($s2 <= 0xa) { $s2 = 0x2 + $s2 } else { $s2 = 0x1 + $s2 } } M[$m] = $s2 RETURN($m, 0x20) Control Flow Structure Recovery 55

56 Validation Construct test cases using historical transactions Leverage Geth to generate the expected transaction output Execute our representation and compare the output 56

57 Validation Construct test cases using historical transactions Leverage Geth to generate the expected transaction output Transactions Total 15,855 (100.0 %) Execute our representation and compare the output 57

58 Validation Construct test cases using historical transactions Leverage Geth to generate the expected transaction output Transactions Total 15,855 (100.0 %) Success 15,345 (96.8%) Execute our representation and compare the output 58

59 Validation Construct test cases using historical transactions Leverage Geth to generate the expected transaction output Execute our representation and compare the output Transactions Total 15,855 (100.0 %) Success 15,345 (96.8%) Failures 510 (3.2%) 59

60 Validation Construct test cases using historical transactions Leverage Geth to generate the expected transaction output Execute our representation and compare the output Transactions Total 15,855 (100.0 %) Success 15,345 (96.8%) Failures 510 (3.2%) Construction Failures 196 (1.2%) 60

61 Validation Construct test cases using historical transactions Leverage Geth to generate the expected transaction output Execute our representation and compare the output Transactions Total 15,855 (100.0 %) Success 15,345 (96.8%) Failures 510 (3.2%) Construction Failures 196 (1.2%) Comparison Failures 314 (2.0%) 61

62 Use Case 62

63 Erays: Function Fuzzy Hash Binary X Function A Function B Function C 63

64 Erays: Function Fuzzy Hash Binary X Function A Hash A 0x746f7563 Compute Fuzzy Hash Function B Function C 64

65 Erays: Function Fuzzy Hash Binary X Function A Function B Function C Hash A 0x746f7563 Hash B 0x d Hash C 0x

66 Erays: Code Sharing Binary X Function A Function B Function C Hash A 0x746f7563 Hash B 0x d Hash C 0x Binary Y Function B Function D Hash D 0x

67 Case Studies 67

68 Case Study: High Value Contracts Look for opaque contracts with large Ether balance ~ $590M Multi-signature wallets likely used by the Gemini exchange Multi-Signature Wallet: signature scheme requiring k-of-n signatures. Security best practice for large sums of money 68

69 Case Study: High Value Contracts Look for opaque contracts with large Ether balance ~ $590M / 3 contracts Multi-signature wallets likely used by the Gemini exchange Interesting, time-dependent withdrawal policies Multi-Signature Wallet: signature scheme requiring k-of-n signatures. Security best practice for large sums of money 69

70 Time Dependency Hazard Found block.timestamp used in contract Erays reveals it is used to control the delay of withdrawal requests Useful auditing tool, even for opaque contracts 70

71 Case Study: Duplicate Contracts Look for opaque contracts with the most instances Exchange user wallets Poloniex: ~350,000 contracts Yunbi: ~90,000 contracts A different approach to handling user funds 71

72 Case Study: EtherDelta Arbitrage Decentralized token exchanges (DEX) operate entirely on-chain Etherdelta

73 Case Study: EtherDelta Arbitrage Decentralized token exchanges (DEX) operate entirely on-chain Etherdelta Arbitrageur Behavior Evidence of arbitrageurs DEX

74 Case Study: EtherDelta Arbitrage Decentralized token exchanges (DEX) operate entirely on-chain Etherdelta Arbitrageur Behavior Evidence of arbitrageurs Executing a buy/sell mismatch for a profit DEX

75 Case Study: EtherDelta Arbitrage Bots Arbitrageurs must publish gadgets to facilitate arbitrage Create functions to validate the order and new trade Implement atomic batch trades (or fail) Arbitrageur Behavior Buy/Sell Trades Gadg. Assert or revert both trades DEX

76 Case Study: CryptoKitties 76

77 77

78 Case Study: CryptoKitties On-chain game code is published with source code Game mechanism well understood 78

79 Case Study: CryptoKitties Developers who know the algorithm aren t allowed to play the game! 79

80 Case Study: CryptoKitties Developers who know the algorithm aren t allowed to play the game! So obviously we had to target this function 80

81 Case Study: CryptoKitties Matron bits Randomness(block hash) Sire The block hash is used to inject random mutations into genes and to select a parent for a gene Child 81

82 Case Study: CryptoKitties Matron bits Randomness(block hash) Sire The block hash is used to inject random mutations into genes and to select a parent for a gene Found a more effective breeding strategy Child 82

83 Case Study: CryptoKitties Matron bits Randomness(block hash) Sire The block hash is used to inject random mutations into genes and to select a parent for a gene Found a more effective breeding strategy 5 4 Child 3 2 Don t rely on security through obscurity! 83

84 Conclusion Ethereum smart contract ecosystem is largely opaque ~ 1M contracts, 34K unique, 77.5% unique opaque 84

85 Conclusion Ethereum smart contract ecosystem is largely opaque ~ 1M contracts, 34K unique, 77.5% unique opaque Erays converts EVM bytecode into higher level representations yizhou7@illinois.edu 85

86 Conclusion Ethereum smart contract ecosystem is largely opaque ~ 1M contracts, 34K unique, 77.5% unique opaque Erays converts EVM bytecode into higher level representations yizhou7@illinois.edu The utility of Erays is demonstrated in several case studies High value wallets, exchange user wallets, arbitrage bots, CryptoKitties secret algorithm 86

Smart!= Secure - Breaking Ethereum Smart Contracts. Elliot Ward & Jake Humphries

Smart!= Secure - Breaking Ethereum Smart Contracts Elliot Ward & Jake Humphries Elliot Ward Senior Security Consultant @elliotjward eward@gdssecurity.com Jake Humphries Security Consultant @jake_151 jhumphries@gdssecurity.com